How to create a complex rule with system-config-securitylevel?

Deron Meranda deron.meranda at gmail.com
Thu Dec 2 03:05:09 UTC 2004 

On Thu, 2 Dec 2004 09:17:50 +0800, John Summerfield
<debian at herakles.homelinux.org> wrote:
> On Thursday 02 December 2004 08:59, Vinicius wrote:
> > how to create a complex rule with system-config-securitylevel, please?
> >
> > For example, I would like to enable a range of public IP's to access a

The system-config-secureitylevel application is just a front-end to
Red Hat's old Lokkit firewall tool from RHL 8.0.  It is only designed
for very simple configurations, as per it's manual:

   "You should not try to use GNOME Lokkit to generate complex firewall
     rules. It is intended for average users who want to protect themselves
     while using a modem, cable, or DSL Internet connection. To configure
     specific firewall rules, refer to the Firewalling with iptables  chapter in
     the Official Red Hat Linux Reference Guide."

That said, it's not all or nothing.  You can use the gui to set up the
simple firewall rules that make sense.  And then use iptables directly
for your additional complex rules.  It's still well worth learning
iptables itself, or use a more complete frontend firewall
configuration tool.  But if you need to, the trick is to insert your
custom rules before those created by the lokkit tool.  All the rules
that system-config-securitylevel creates are placed into a filter
chain named "RH-Firewall-1-INPUT".  Then a single rule is placed in
the main "INPUT" and "FORWARD" chains which points to it; e.g.,
something like,

   # iptables -L
   Chain INPUT (policy ACCEPT)
   target     prot opt source               destination
   RH-Firewall-1-INPUT  all  --  anywhere             anywhere

   Chain FORWARD (policy ACCEPT)
   target     prot opt source               destination
   RH-Firewall-1-INPUT  all  --  anywhere             anywhere

   Chain OUTPUT (policy ACCEPT)
   target     prot opt source               destination

   Chain RH-Firewall-1-INPUT (2 references)
   target     prot opt source               destination
   ACCEPT     all  --  anywhere             anywhere
   ACCEPT     icmp --  anywhere             anywhere            icmp any
   ACCEPT     ipv6-crypt--  anywhere             anywhere
   ACCEPT     ipv6-auth--  anywhere             anywhere
   ACCEPT     udp  --  anywhere             224.0.0.251         udp dpt:5353
   ACCEPT     udp  --  anywhere             anywhere            udp dpt:ipp
   ACCEPT     all  --  anywhere             anywhere            state
RELATED,ESTABLISHED
   ACCEPT     tcp  --  anywhere             anywhere            state
NEW tcp dpt:ssh
   REJECT     all  --  anywhere             anywhere           
reject-with icmp-host-prohibited


So say you now want to also add a custom rule that allows TCP inbound
traffic to port 12345 only from IP's in the range 192.168.40.0 through
192.168.40.255.  You must INSERT your rule ahead of the one that calls
the RH-Firewall-1-INPUT chain; as,

   # iptables -I INPUT 1  -p tcp --dport 12345 -s 192.168.40.0/24 -j ACCEPT

The "1" after the "-I INPUT" says to insert your rule 1st.

Then, to get your custom rule to survive reboots, you need to save it,

   # service iptables save
or
   # iptables-save >/etc/sysconfig/iptables

That should get you by until you read the iptables documentation or
use a more complex firewall configuration tool.
-- 
Deron Meranda

More information about the fedora-list mailing list